CATHAY GENERAL BANCORP - (CATY)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity

 

Risk Management and Strategy

 

Our risk management program is designed to identify, assess, and mitigate risks across various aspects of our company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential cyber threats. Our Chief Information Security Officer is primarily responsible for this cybersecurity component and is a key member of the risk management organization, reporting directly to the Chief Risk Officer and as discussed below, periodically to board committees.

 

 

We rely on a series of processes to identify threats, hazards, and other risks to our assets. In addition to regular risk assessments, we rely on independent assessments, audits, and cybersecurity feeds from vendors, including directly into patch and vulnerability management tools. Our processes and practices are reviewed by audits, regulators, and independent reviews of information security and cybersecurity practices and processes carried out by professional services organizations retained by us against industry requirements, such as the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbooks, and the FFIEC Cybersecurity Assessment Tool. These frameworks also provide guidance that we leverage for overseeing and identifying cybersecurity threats associated with the use of third-party service providers. The Bank also retains third-party experts to conduct intrusion and penetration testing on an annual basis.

 

Our assets are classified and protected based on the results of our risk assessment practices, which assess a variety of critical factors, including the type of data stored, system availability needs, confidentiality requirements, recovery time objectives, transactional processing, the number of users, and the volume and magnitude of transactions. Our Information Technology and Information Security teams meet weekly across several disciplines to ensure that risks are timely identified, patch and vulnerability requirements are monitored, and the necessary changes are implemented.

 

The Information Security and Information Technology teams support the business through early engagement in the Project Management Office routines and the Vendor Management Office’s requirements, to ensure that new products, projects, and third-party vendors are onboarded with appropriate oversight.

 

Identified Cybersecurity Risks

 

Federal regulators have issued multiple statements regarding cybersecurity and that financial institutions need to design multiple layers of security controls to establish lines of defense and to ensure that their risk management processes also address the risk posed by compromised client credentials, including security measures to reliably authenticate clients accessing internet-based services of the financial institution. In addition, a financial institution’s management is expected to maintain sufficient business continuity planning processes to ensure the rapid recovery, resumption and maintenance of the institution’s operations in the event of a cyber-attack. A financial institution is also expected to develop appropriate processes to enable recovery of data and business operations and address rebuilding network capabilities and restoring data if the institution or its critical service providers fall victim to a cyber-attack. If we fail to observe the regulatory guidance, we could be subject to various regulatory sanctions, including financial penalties.

 

State regulators have also been increasingly active in implementing cybersecurity standards and regulations. Recently, several states, notably including California where our banking business is concentrated, have adopted laws and/or regulations requiring certain financial institutions to implement cybersecurity programs and providing detailed requirements with respect to these programs, including data encryption requirements. Many such states (including California) have also recently implemented or modified their data breach notification and data privacy requirements. We expect this trend of state-level activity in those areas to continue, and we continue to monitor relevant legislative and regulatory developments in California where most of our clients are located.

 

In the ordinary course of business, we rely on electronic communications and information systems to conduct our operations and to store sensitive data. We employ a layered, defensive approach that leverages people, processes and technology to manage and maintain cybersecurity controls. We employ a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent threats. Notwithstanding the strength of our defensive measures, the threat from cyber-attacks is severe, attacks are sophisticated and increasing in volume, and attackers respond rapidly to changes in defensive measures. While to date we have not detected a significant compromise, significant data loss or any material financial losses related to cybersecurity attacks, our systems and those of our clients and third-party service providers are under constant threat and it is possible that we could experience a significant event in the future. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of Internet banking, mobile banking and other technology-based products and services by us and our clients. See Item 1A. Risk Factors for a further discussion of risks related to cybersecurity.

 

Management and Board Oversight of Cybersecurity Risks

 

Our Information Security Program is managed by a dedicated Chief Information Security Officer (“CISO”), who leads our Information Security team responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. Our CISO holds a BSc degree in the combined studies of Computer Science & History of Science from Herriot-Watt University and a graduate of the Carnegie Mellon University’s Heinz College of Information Systems and Public Policy + Software Engineering Institute’s Chief Risk Officer Executive Education and Certificate Program. He holds the following professional certifications from the Information Systems Audit and Control Association: Certified Information Systems Auditor (CISA), Certified in the Governance of Enterprise IT (CGEIT), and Certified in Risk and Information Systems Control (CRISC). Additionally, he has more than 20 years of experience in financial services, including management experience with Globally Systemically Important Banks, as well as experience in cybersecurity, information security & information technology risk management, governance, risk, and compliance.

 

The CISO provides periodic reports to the executive risk management committee and the board-level risk committees of the Company and the Bank, as well as the cross-functional management steering committee that oversees the information security and information technology programs. These reports address key cybersecurity topics, including the implementation and operation of preventative controls and the detection, mitigation and remediation of cybersecurity incidents. Our CISO also provides reports to our Chief Executive Officer and other members of our senior management, as appropriate. The Chief Risk Officer and the board-level risk committees of the Company and the Bank report to the full board of directors on key cybersecurity risk management topics, as appropriate.